Apple Fixes 3-Year Old Cookie Store Vulnerability in iOS

Apple on Tuesday patched multiple security flaws in iOS, OS X, and Safari, including a Cookie Stores vulnerability in iOS that was initially reported in June 2013, researchers at Skycure reveal.

The security issue, CVE-2016-1730, was found by Skycure’s Adi Sharabani and Yair Amit and involved the way iOS handles Cookie Stores when dealing with Captive Portals. Attackers could exploit the flaw via a public Wi-Fi network and could load and execute malicious content on the victim’s device, Skycure’s Yair Amit explained in a blog post.

According to Amit, when a user connects to public network, or a captive-enabled network, the iOS device displays a window that allows its owner to use an embedded browser to login to the network via an HTTP interface. However, the embedded browser was found to share its cookie store with Safari, the native browser in iOS.

Captive-enabled networks are wide spread, being commonly used in most free and paid Wi-Fi networks in public places such as hotels, airports, restaurants, and the like. Thus, the sharing of the cookie store between the two browsers creates a vulnerability that can be used in network-based attacks against mobile devices, Skycure warns.

To exploit the vulnerability, an attacker would have to create a public Wi-Fi network and wait for the victim to join the network. Next, the attacker redirects the Apple Captive request to an HTTP website of their choice, which triggers the iOS Captive Network embedded browser screen to open and results in the embedded browser loading attacker-controlled content and executing it.

By exploiting the issue, an attacker can steal user’s HTTP cookies associated with a site of the attacker’s choice, allowing the attacker to impersonate the victim’s identity on the chosen site. Furthermore, Skycure says the perpetrator can perform a session fixation attack, logging the user into an account they control, because the shared cookie stores ensures that the victim is redirected even when using Safari.

Cybercriminals could also use the exploit to perform a cache-poisoning attack on a website of their choice by returning an HTTP response with caching headers, allowing malicious content (JavaScript) to be executed every time the victim connects to that website in the future via Safari on the mobile device.

According to Amit, the attack is effective because the attacker can have the embedded-browser automatically opened on the victim’s device by leveraging captive-networks handling by iOS. However, the attack can be performed with similar characteristics even when the user opens Safari to log in to the network.

Apple was informed on this issue on June 3, 2013, but the company took over two years and a half to release a patch for it, the security firm says. Skycure’s researchers note that, while this is the longest it has taken Apple to fix a vulnerability they reported, the fix for the issue was “more complicated than one would imagine” and that Apple was very receptive and responsive.

The newly released iOS 9.2.1 employs an isolated Cookie Store for all Captive Portals, which remediates the issue. iOS device owners are advised to download and install the platform upgrade as soon as possible, to ensure they remain protected against this and other flaws.

With the release of iOS 9 last year, Apple improved many aspects pertaining to the security of its mobile devices, including the “sideloading” process, which boosts app security, and two-factor authentication. In September, the company also resolved a flaw in its over-the-air file sharing technology, AirDrop, which allowed attackers to target victims in their close proximity.

Since then, the technology giant patched over one hundred bugs in the mobile platform, including nearly 50 vulnerabilities resolved in the October round of updates, and 50 security holes plugged in December.